Ensure S3 bucket MFA Delete is enabled

Error: AWS S3 bucket is not configured with MFA Delete

Bridgecrew Policy ID: BC_AWS_S3_24
Checkov Check ID: CKV_AWS_93
Severity: MEDIUM

AWS S3 bucket is not configured with MFA Delete

Description

If a bucket's versioning configuration is MFA Delete: enabled, the bucket owner must include the x-amz-mfa request header to delete an object. Requests that include x-amz-mfa must use HTTPS.

Configuring a bucket to enable MFA (multi-factor authentication) Delete requires additional authentication for either of the following operations:
(1) Change the versioning state of your bucket
(2) Permanently delete an object version.

We recommend you configure S3 bucket with MFA Delete: enabled.

Fix - Runtime

CLI Command

aws s3api put-bucket-versioning --profile my-root-profile --bucket my-bucket-name --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa “arn:aws:iam::00000000:mfa/root-account-mfa-device 123456”

Fix - Buildtime

Terraform

Resource:aws_s3_bucket
Argument:mfa_delete - (Optional) Enable MFA delete for either Change the versioning state of your bucket or Permanently delete an object version. Default is false. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"
  acl    = "private"

  versioning {
    enabled = true
  +  mfa_delete = true
  }
}